Cybersecurity experts at Sophos X-Ops have uncovered a wave of attacks targeting unpatched Citrix NetScaler systems exposed to the internet.
Describing the malicious campaign on X last Friday, the security researchers said it leveraged a critical remote code execution vulnerability (CVE-2023-3519), allowing threat actors to infiltrate systems and conduct domain-wide cyber campaigns.
The similarity between these attacks and previous incidents utilizing the same tactics, techniques and procedures (TTPs) has raised concerns about a potentially organized and experienced threat group.
The assault, which Sophos X-Ops has been tracking, began with the compromise of vulnerable systems in mid-August. Once inside the targeted network, the attackers exploited the aforementioned NetScaler vulnerability as a code-injection tool, enabling them to initiate a comprehensive domain-wide assault.
In the later stages, the attacks demonstrated a higher level of complexity, marked by several malicious actions. These included injecting harmful software into essential Windows processes to gain more control over compromised systems, using specific online platforms for staging malware and employing intricate scripts that were difficult to detect and decipher.
Moreover, Sophos X-Ops observed the deployment of randomly named PHP webshells on victim machines, a tactic consistent with other industry reports. The collaboration between different security entities in revealing the nature of these attacks has provided a broader understanding of the threat landscape.
In fact, the attacks closely align with findings reported by Fox-IT in August, which unveiled that approximately 2000 Citrix NetScaler systems worldwide had been compromised due to CVE-2023-3519.
In response, Citrix issued a patch for the CVE-2023-3519 vulnerability on July 18. However, the implications of these attacks go beyond simple patch application. To ensure comprehensive protection, organizations are urged not only to apply the patch but also to meticulously inspect their network for signs of compromise.
With the injected payload still under analysis, Sophos X-Ops suspects the involvement of a well-known ransomware threat actor, attributing this wave of attacks to the Threat Activity Cluster STAC4663.
Organizations are encouraged to examine historical data for traces of the identified Indicators of Compromise (IoCs) and follow Sophos X-Ops’ guidance to safeguard their infrastructure from the ongoing threat.